03-07-2012 10:52 PM
I'm trying to setup an ACL on my SG300-20 to enable FTP and a few other protocols to a server, but I'm running data that returns on different ports (ie active FTP).
Below is a sample:
-------------------------------------------
Extended IP access list Protocol_Restriction
permit tcp any ftp any any
-------------------------------------------
Now that works great to allow a connection, but with active ftp when the data tries to come back on a different port (I assume) it is just hung up as all other ports are denied.
I event tried allowing all ports to come back from the server:
-------------------------------------------
Extended IP access list Protocol_Restriction
permit tcp any ftp any any
permit ip any host 192.168.0.100
-------------------------------------------
But that also didn't work seem to work.
I've played around with this in layer2 and layer3 to no avail. I've also seen many tips on applying in and out to the various interfaces, but that doesn't seem to work. Is that something that is only available on higher end switchers/firewalls?
Can anyone assist with this?
Thanks,
03-08-2012 05:24 PM
Hi
There are a few rules to getting ACLs working.
.So imagine that a ACL is like a ear listening to packets coming into the switch from some other device or IP host.
A scenario to restrict the FTP access of one host to One FTP server;
I wish to restrict one IP host (192.168.10.106) on switch port 8, from accessing a FTP server which is at IP address 192.168.10.101
I created a ACE list below as part of a ACL . (I really didn't need the priority 20 entry )
The restricted Host is on switch port 8, so I would Bind the ACL to switch port 8 to listen for pattern matched within my ACE list
Here is the CLI it created , if you are interested;
ip access-list extended Restrict_FTP
deny tcp 192.168.10.106 0.0.0.0 any 192.168.10.101 0.0.0.0 20-21
permit tcp 192.168.10.0 0.0.0.255 any 192.168.10.101 0.0.0.0 20-21
permit ip any any
exit
interface gigabitethernet8
service-acl input Restrict_FTP
exit
Remember, to save any changes.
Hope this helps, but if not check the following community post.
https://supportforums.cisco.com/thread/2061080
regards Dave
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide